Solved

how to allow relay based on IP (or hostname) without checking other rules in sendmail.cf

Posted on 2002-03-27
25
3,477 Views
Last Modified: 2013-12-17
Hello,Greeting:

  i am using one server as SMTP server and another as POP3 server,both of them installed RedHat6.2 & Sendmail8.9
.3-20,the SMTP server anti-spam by /etc/mail/access,only a few domains are set as "RELAY/OK" there,and the POP3 server using SMTP server as its "smart host" (because a webmail installed on POP3 one),everything is fine.
  but i also setup /etc/mail/virtusertable to FORWARD some mails to other domains on POP3 server,the problem
coming: when POP3 get the email (for example:the sender is
"test@hotmail.com"),that's no problem and then,when the
"virtusertable" works,POP3 server would forward this mail by sending it to its "smart host"-- the SMTP server.
while SMTP server checked the "sender",but test@hotmail.co
m is not in the /etc/mail/access file to be relayed,so SM
TP response a "550 Access Deined" ERROR. my question is:
   1) how could i setup on SMTP server that "allow relay based on POP3 server's IP",that ALL mails from POP3 server
could be relayed without checking "sender & recipient" ?
just like what "host_accept_relay" do in Exim software.

BTW,i think maybe /etc/mail/relay-domains  could do what
i want,right? if so,the problem is there's no such file after RPM installation,more over,i don't know whether sendmail.cf would use it if i create a new one.

desiring for your help,thanks a lot !
0
Comment
Question by:wingboad
  • 12
  • 11
  • +1
25 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 6899016
On your SMARTHOST add the IP of the other server to the access file, like:

1.2.3.4      RELAY

Rebuild the map (or restart sendmail) and the SMARTHOST should be able to relay for the POP server.
0
 

Author Comment

by:wingboad
ID: 6901248
that's what the /var/log/maillog on SMTP server shown me after i add my POP3 server's IP in /etc/mail/access file (assume that POP3 server's IP is "1.2.3.4" & its hostname is pop3.abc.com,"ns" is one aliase of pop3. SMTP server's IP is "2.3.4.5" & hostname is smtp.abc.com,"www2" is an aliase of smtp, also,the sender is test@yeah.net)

1.2.3.4       RELAY
 

logfile on SMTP server:


 KAA14312: ruleset=check_mail, arg1=<test@yeah.net >, relay=pop3.abc.com [1.2.3.4], reject=550 <test@yeah.net >... Access denied
Mar 28 10:16:51 www2 sendmail[14312]: KAA14312: from=<test@yeah.net >, size=0, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pop3.abc.com [1.2.3.4]
Mar 28 10:16:51 www2 sendmail[14313]: KAA14313: from=<>, size=3392, class=0, pri=33392, nrcpts=1, msgid=<200203280217.KAA25888@pop3.abc.com>, bodytype=8BITMIME, proto=ESMTP, relay=pop3.abc.com
[1.2.3.4]
Mar 28 10:16:57 www2 sendmail[14315]: KAA14313: to=<test@yeah.net >, delay=00:00:06, xdelay=00:00:05, mailer=esmtp, relay=mx.yeah.net. [202.108.36.214], stat=Service unavailable
Mar 28 10:16:57 www2 sendmail[14315]: KAA14313: KAA14315: postmaster notify: Service unavailable
Mar 28 10:16:57 www2 sendmail[14315]: KAA14315: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent



 

logfile on POP3 server: ("abc@hotmail.com" is the address i
                          n POP3 virtusertable to forward)

on POP3 /etc/mail/virtusertable,one line like:

abc@abc.com    def@xyz.com


Mar 28 10:12:59 ns sendmail[25839]: KAA25837: to=<abc@abc.com>, delay=00:00:01, xdelay=00:00:00, mailer=relay, relay=smtp.abc.com [2.3.4.5]stat=Service unavailable
Mar 28 10:12:59 ns sendmail[25839]: KAA25837: KAA25839: DSN: Service unavailable
Mar 28 10:12:59 ns sendmail[25839]: KAA25839: SYSERR(root): deliver: mci=813e98c rcode=0 errno=29 state=0 sig=smtp.abc.com : Illegal seek
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   0: fl=0x8000, mode=20666: CHR: size=0
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   1: fl=0x8001, mode=100600: size=148
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   2: fl=0x8001, mode=100600: size=148
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   3: fl=0x2, mode=140777: SOCK localhost->[[UNIX: /dev/log]]
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   5: fl=0x0, mode=100644: size=20480
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   6: fl=0x1, mode=100600: size=868
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   7: fl=0x0, mode=100644: size=20480
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   8: fl=0x0, mode=100644: size=4096
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:   9: fl=0x0, mode=100644: size=20480
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:  11: fl=0x8001, mode=100600: size=148
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:  12: fl=0x0, mode=100600: size=1044
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:  13: fl=0x1, mode=100600: size=757
Mar 28 10:12:59 ns sendmail[25839]: KAA25839:  14: fl=0x401, mode=100600: size=165
Mar 28 10:12:59 ns sendmail[25839]: KAA25839: MCI@0: NULL
Mar 28 10:12:59 ns sendmail[25839]: KAA25839: MCI@813e98c: flags=c<CACHED,ESMTP>, errno=29, herrno=1, exitstat=0, state=0, pid=0, maxsize=0, phase=client MAIL, mailer=relay, status=5.0.0, rstatus=550 Access denied, host=smtp.abc.com, lastuse=Thu Mar 28 10:12:59 2002
Mar 28 10:13:00 ns sendmail[25839]: KAA25839: MCI@0: NULL
Mar 28 10:13:00 ns sendmail[25839]: KAA25839: MCI@813e98c: flags=c<CACHED,ESMTP>, errno=29, herrno=1, exitstat=0, state=0, pid=0, maxsize=0, phase=client MAIL, mailer=relay, status=5.0.0, rstatus=550 Access denied, host=smtp.abc.com, lastuse=Thu Mar 28 10:12:59 2002
Mar 28 10:13:00 ns sendmail[25839]: KAA25839: to=<test@yeah.net >, delay=00:00:01, xdelay=00:00:01, mailer=relay, relay=smtp.abc.com, stat=Internal error
Mar 28 10:13:00 ns sendmail[25839]: KAA25839: KAB25839: return to sender: Internal error
Mar 28 10:13:00 ns sendmail[25839]: KAB25839: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent



  it seems that "check_relay" ruleset passed through,as i
know,it should be finish checking after this,right ?but it still use the next ruleset:"check_mail",that's the problem,
could you explain this?

thank you
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6901281
How did you configure the sendmail.cf files on each of these servers, via an mc file? If that's the case can I see the mc file you used on the SMARTHOST? Otherwise what do you see if you grep  your sendmail.cf for Kaccess?

From what's in the logfiles it looks to me like your access map isn't being used. That could be because you didn't make a new map with makemap (or the sendmail restart didn't) or it could be that your configuration doesn't include support for the access map.
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 6903623
By default redhat has the tables

/etc/mail/access

you must run

make

or

makemap -hash access <access

after changing the access file
0
 

Author Comment

by:wingboad
ID: 6904096
Hi,ilevie:

  first,i indeed restart the sendmail service after i chang
ed the "access" file.the sendmail & sendmail-cf RPM package
are installed during the RedHat6.2 installation,and i never
changed "sendmail.mc" file.
  here is the sendmail.mc on SMTP server(same like POP3 server) below:



divert(-1)
dnl This is the macro config file used to generate the /etc/sendmail.cf
dnl file. If you modify thei file you will have to regenerate the
dnl /etc/sendmail.cf by running this macro config through the m4
dnl preprocessor:
dnl
m4 /etc/sendmail.mc > /etc/sendmail.cf
dnl
dnl You will need to have the sendmail-cf package installed for this to
dnl work.
include(`/usr/lib/sendmail-cf/m4/cf.m4')
define(`confDEF_USER_ID',``8:12'')
OSTYPE(`linux')
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
define(`confAUTO_REBUILD')
define(`confTO_CONNECT', `1m')
define(`confTRY_NULL_MX_LIST',true)
define(`confDONT_PROBE_INTERFACES',true)
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')
FEATURE(`smrsh',`/usr/sbin/smrsh')
FEATURE(`mailertable',`hash -o /etc/mail/mailertable')
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')
FEATURE(redirect)
FEATURE(always_add_domain)
FEATURE(use_cw_file)
FEATURE(local_procmail)
MAILER(procmail)
MAILER(smtp)
FEATURE(`access_db')
FEATURE(`delay_checks')
FEATURE(`blacklist_recipients')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not hav 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')
dnl FEATURE(`relay_based_on_MX')



  AND after i excuate "less sendmail.cf |grep Kaccess",the result is: "Kaccess hash -o /etc/mail/access"
  ALSO,in the "sendmail.cf" of SMTP server,there is such a
line: "FR-o /etc/mail/relay-domains". does this mean if i
write some IP or hostname (domain name) into this file,it
could relay all mails FROM those IP & host,right ?

  i think the problem is related with "check_relay","check_
mail","check_rcpt",i am not clear how those three rulesets
work? check each ruleset by sequence? or if one ruleset is
satisfied,next ruleset will be ignore ??

BTW,i know such questions related with SENDMAIL theory are
quite difficult to explain clearly,while i really need expe
rts' help,say THANK again.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6904315
Right, your sendmail is configured to use the access map. And that's a part of the "check_mail" & "check_rcpt" rules. As I said earlier it appears that your access map isn't being used. One cause could have been that sendmail didn't believe it should use the map. Another could be that the access map isn't being rebuilt.

You could tell if that's the cas by executing:

# cd /etc/mail
# makemap hash access <access

For a new map to be created that command must run without error.

How about letting me see the contents of /etc/mail/access?
0
 

Author Comment

by:wingboad
ID: 6909538
ok.

you know,the POP3 server's IP is "1.2.3.4" & its hostname is pop3.abc.com,so in the "access" file,i input such lines:

1.2.3.4       RELAY
abc.com       OK


i think such would accept all mails from "***@abc.com" & all mails relayed from 1.2.3.4 machine,right ?

BTW,if i want to send a mail which sender is "abc@hotmail.
com" & the recipient is "test@yeah.net", as lots of
introduction of Sendmail's access map,here is what RELAY could do:

"Accept mail addressed to the indicated domain or received from the indicated domain for relaying through your SMTP
server. RELAY also serves as an implicit OK for the other checks"

so if it's right,i could add a line in access file like:

yeah.net    RELAY (which satified with the relay_rcpt)

such a mail TO test@yeah.net should be relayed by my server
,right? but in fact,it seems that sendmail still do check_
mail ruleset first,while no such condition defined in acces
s file,so before check_rcpt works,the mail already "relay d
enied" by check_mail ruleset,right ?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6909608
I think there's some confusion here.

With respect to inbound mail from Internet hosts the Sendmail server has to believe that it is responsible for mail addresses to that domain or domains. The sendmail server will figure out from the hostname of the system that it's running on what it's domain name is. For example if the server's FQDN were to be relay.dom.tld, it would believe that its domain is dom.tld and would be willing to handle mail addressed to user@dom.tld.

There are times (like when the relay box lies in a different domain or when implementing virutal domains) that the mail server needs to accept mail for other than the sendmail server's native domain. In that case the additional domains must be listed in /etc/mail/sendmail.cw or /etc/mail/local-host-names, which ever sendmail is configured to use. Common practice is to always list the server's domain and then list any other domains. For example, if the server's FQDN is as above, but it is also to relay mail destined for user@other.tld, local-host-names (or sendmail.cw) would contain:

dom.tld
other.tld

Now unless told otherwise, as is the case when implementing a relay box, sendmail assumes that any mail it is to accept is for a local user account. On a relay box this isn't the case and the easy way of handling the forwarding is to create a virtusertable entry something like:

@dom.tld        %1@pop3.dom.tld

which causes all mail to be re-sent to the same username at pop3.dom.tld. I.E., mail received from an Internet host addressed to joe@dom.tld will be re-sent to joe@pop3.dom.tld.

Okay, that takes care in inbound mail from the Internet. As far as sendmail is concerned a relay occurs when a mail message reaches the server and isn't destined for a local account on that server. Relaying is only allowed if one of the following conditions are met:

1) Sendmail has been told to relay its entire domain and the system sending the message appears to lie within the domain of the server as evidenced by a reverse lookup of the client's IP. So if 1.2.3.4 tries to send a message to some Internet address and a reverse lookup of 1.2.3.4 returns some-sys.dom.tld, the relay is allowed. Obviously mail sent from the sendmail server itself is a special subcase of this rule. (NOTE: the sendmail configuration has to be adjusted from the defalut for this to work).

2) SMTP AUTH is in use and the client has properly authenticated to sendmail. (NOTE: this also requires a change in the configuration)

3) The IP or network of the client machine is listed in the access map with a RELAY action. Hostnames and domain names can be used here, but those clients must have valid reverse lookup's in the DNS that lie within the domain(s) specified for this to work. Generally when using the access map for this one does so because reverse lookups won't return the necessary data, else one would implement case (1). So, IP's are preferrable.

Once sendmail realizes that it's okay to relay mail for a specific client it doesn't care where the mail is going. It'll simply look up the mail server for that address and send the message on out.

In this particular case the IP of your POP3 server needs to be in /etc/mail/access, like

1.2.3.4   RELAY

and the access map needs to have been rebuilt with:

# cd /etc/mail
# makemap access <access

And if your domain were to be abc.com, /etc/mail/local-host-names (or /etc/mail/sendmail.cw) needs to contain:

abc.com

Sendmail only reads local-host-names at startup, so sendmail needs to be restarted each time that file is changed. To complete the solution for a relay server, /etc/virtusertable must contain:

@abc.com    %1@pop3.abc.com

and the map rebuilt with:

# cd /etc/mail
# makemap hash virtusertable <virtusertable

There are other ways of implementing the forwarding, but the virtusetable method above is the simplest.

That configuration will work properly with the default sendmail configuration on RH 6.2. However, if you've fiddled with the sendmail configuration with any method other than building a sendmail.cf from an .mc file all bets are off. I've seen webmin and linuxconf both muck up the sendmail configuration in such a way as to cause one or more of the above capabilities to not work. And, improper use of the directives in an .mc file can also cause problems.
0
 

Author Comment

by:wingboad
ID: 6911542
 first,i should say thanks about so detailed infos.
but i really did all you sugguested on my POP3 server: in
sendmail.cw & virtusertable files.if i setup virtusetable
point the inbound mail to a local user,that's no problem,so
this is not the problem with POP3 server. that's the proble
m with my SMTP server's "relay policy".
  here is the maillog on SMTP server ( i wrote it before)


KAA14312: ruleset=check_mail, arg1=<test@yeah.net >, relay=pop3.abc.com [1.2.3.4], reject=550 <test@yeah.net
>... Access denied

you see that "ruleset=check_mail" ? does that mean after th
e sendmail passed the "check_relay" ruleset because my POP3
server is listed in "access" file as "1.2.3.4   RELAY",as
you said,relay should be ok without checking the mail's SENDER & RECIPIENT, right? in theory it should i think,but
the log tell us it's not. here is the focus to solve my
trouble.
   
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6911912
I've ask this before and I still don't know what the answer is. What do you see if you do 'grep Kaccess /etc/sendmail.cf' on the relay server?

What is the contents of /etc/mail/access on the relay server and are there any error messages if you do:

# cd /etc/mail
# makemap hash access <access

on the relay server?

On a like note, what is the contents of virtusertable on the relay server?

What does /etc/mail/sendmail.cw contain on the relay server?

Is the sendmail.cf file on the relay server the one installed with the OS or has it been changed by any means since installation of the OS?
0
 

Author Comment

by:wingboad
ID: 6914695
hi,ilieve:
   i may find where the problem is:
   i've changed the sendmail.cf on Relay Server,at the end
of "check_rcpt" ruleset,there is such line like this:

R$*              $#error $@ 5.7.1 $: "550 Relaying denied"

   i added one line just on the head of this line like:

R$*              $@OK

   then,the relay base on IP in access file has problem.be
cause i test it on POP3 server,make it as Relay Server,& its sendmail.cf never changed.after i add one IP in access
file to be relayed,it works fine without checking the sender & recipient's address.

   now my question is:

1) how sendmail use those three rulesets: "check_relay",
"check_mail","check_rcpt" ? is there any sequence by using
them ?
2) i saught some docs says:in access file,we could use:

Connect:1.2.3.4     RELAY
To:abc.com          OK

is that right in sendmail8.9.3-20,which RedHat6.2 install?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6914786
That's the wrong fix. Any spammer that finds your relay server and is even slightly creative can now use your system as a relay for spam.

You need to put sendmail.cf back like it was and examine what the other configuration items look like. And while I'm thinking about it, before you edited sendmail.cf had it been changed from the installation version in any way by any tool?

I need to see the answers to all of the questions I posed in my previous comment. I'm reasonably certain that the answer to your problem lies in what that data reveals (and the question I posed above in this question).
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 

Author Comment

by:wingboad
ID: 6919794
ok,ilieve:
   here are those questions & answers below:

Q:  How did you configure the sendmail.cf files on each of these servers, via an mc file?
A:  i never complie the sendmail.cf by sendmail.mc file,i used it directly after the installation.

Q:  What do you see if you do 'grep Kaccess /etc/sendmail.
cf' on the relay server?
A:  it would show me: Kaccess hash -o /etc/mail/access

Q:  are there any error messages if you do:

# cd /etc/mail
# makemap hash access <access
A:  no problem,it could.

Q:  What is the contents of /etc/mail/access on the relay server
A:  it is:  (1.2.3.4 & pop3.abc.com is my POP3 server)

localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
1.2.3.4                         RELAY
abc.com                         RELAY
com                             REJECT
cn                              REJECT
net                             REJECT
org                             REJECT
edu                             REJECT
gov                             REJECT

(because i add such line:"R$*  $@ OK" in check_rcpt )


Q:  what is the contents of virtusertable on the relay server
A:  nothing,because only POP3 server has contents,SMTP server only send out mails from POP3 server or clients.

   
Q:  What does /etc/mail/sendmail.cw contain on the relay server
A:  nothing,such stuff would be finished on POP3 server.


Q:  Is the sendmail.cf file on the relay server the one installed with the OS or has it been changed by
any means since installation of the OS?
A:  yes,on relay server,i add one line at the end of check_
rcpt ruleset as you know: "R$*  $@ OK"  to avoid Relay serv
er check the recipient's address when the mails coming from
clients,which has no fixed IP to be added into "access" fil
e to be relayed.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6919853
From that it's really rather obvious why the SMTP really fails unless you change the contents of sendmail.cf.

/etc/mail/access must contain only:

1.2.3.4    RELAY

the localhost stuff isn't needed and the REJECT's need to be removed. By having com, net, etc in access marked as reject you've told sendmail to reject any mail that appears to com from essentially anywhere on the Internet, including your test message to hotmail.com. The access map can be used for anti-spam control, but not by rejecting anything from top level domains. What you can do is to list a host, domain, or IP to be rejected, like:

some.spammer.net   REJECT
many-spammers.com  REJECT

Next /etc/mail/sendmail.cw needs to contain your domain name.

And finally virtusertable must contain:

@your-domain.tld       %1@your-pop3.your-domain.tld

Without that in virtusertable the relay server won't accept mail from Internet hosts destined your your domain. It'll bounce the message with an error of "No such user". And it'll be right since you wouldn't have accounts for all your users on the SMTP relay. Furthermore you have to have the virtusertable entry, or a alias for each user account, to tell sendmail where the mail it to be relayed to. That, of course assumes that you'll be using the SMTP server as a true relay and make it the MX for your domain.
0
 

Author Comment

by:wingboad
ID: 6940930
Hi,ilevie:
   
   Fisrt,i should say SORRY cause that i could not access Internet for business so not reply you in time, ~~~
   OK,i knew what you mean the last comment you added,but i
am using a dymatic IP to let my SMTP server to be relayed in additional.so i could not only keep "1.2.3.4  RELAY" in
my access file.that's the problem (i didn't mention is befo
re)
   so i think we don't disscuss this any more,could you ple
ase tell me this question i asked before:

 2) how sendmail use those three rulesets: "check_relay",
"check_mail","check_rcpt" ? is there any sequence by using
them ?


thanks
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6942439
Which system has the dynamic IP? If it's the POP server how do users find it to use the webmail interface? You could, with a bit of work, arrainge to make sure that the POP server's IP in the SMTP server's access file is updated when the IP of the POP server changes. That would work if the IP doesn't change each time the POP server connects.

As I recall, check_relay is the first of them to be executed on the initial connection of the remote sender. Then check_from and check_rcpt are called, in order.

Be aware that if you still have the check_relay function disabled by your edit that your SMTP server is now a promiscous relay and can be used by spammers to flood the Internet with spam. Sooner or later spammers will find it and sometime after that you are likely to find that you've been black-listed and that you can't send email to a lot of places on the Internet. It's really important to leave the check_* routines alone and to solve the relay problem through means that don't leave the SMTP open to abuse by spammers.

0
 

Author Comment

by:wingboad
ID: 6943645
>Which system has the dynamic IP?

no,it's not my POP3 server,it's the mail gateway of my offi
ce as a remote user,all computer in our office should use the gateway to send/receive mails by the SMTP/POP3 servers.

>As I recall, check_relay is the first of them to be executed on the initial connection of the remote
sender. Then check_from and check_rcpt are called, in order.


if Sendmail check those three rulesets in that order,could
you tell me that:when a mail satisfied check_relay ruleset,
the other two rulesets will still check this mail or not ?
for example:

in my /etc/mail/access file,i have

1.2.3.4    RELAY
com        REJECT

as you said,when a mail coming from abc@hotmail.com sent by
my POP3 server (1.2.3.4),Sendmail would use check_relay ruleset first.obviously,cause it's from 1.2.3.4,it should be relayed,right? while,the check_from & check_rcpt still work ? if works,this mail would be "rejected" (that's what i tested,so i guess the other two rulesets will still work although the mail satisfied the check_relay ruleset.could you explain )
   BTW,thanks for your reminder of being a "open" SMTP serv
er for those Spammer,i think what i should do is:

1) leave all check_* rulesets alone,and never change them
   in sendmail.cf
2) use "access","relay-domain","virtusetable" etc. as "Anti
   -Spammer" strategy
3) find out a solution to ALLOW RELAY by dymatic IP

what's you opinion ?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6943831
Hmm, I wonder if there's a terminology/configuration fuzziness going on here. I thought I understood your problem until I read the last part of that comment. bear with me while I try to re-state the problem.

Let me see if I can describe what I now think you have. You have an SMTP relay server for your office and it has a dynamic IP. You have local users within your organization that must use the server for email. I'd guess that your local users are inside of a firewall and that your SMTP relay server is outside of the firewall. You have one or more SMTP/POP servers within the organization (probably inside of the firewall) that should use the relay server for all inbound and outbound email. Right now inboud email that is accepted by the relay server and forwared to the internal POP servers is delivered, but outbound email from the POP server is rejected (fails the relay check) by the relay server.

Two things must be configured on the relay server for inbound and outbound email to be properly handled. One is that the relay server needs to believe that the recipient of an inbound message from the Internet corresponds to a local account. The easiest way to accomplish that is to introduce a virtusertable translation that looks like:

@my-dom.tld
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6943832
Hmm, I wonder if there's a terminology/configuration fuzziness going on here. I thought I understood your problem until I read the last part of that comment. bear with me while I try to re-state the problem.

Let me see if I can describe what I now think you have. You have an SMTP relay server for your office and it has a dynamic IP. You have local users within your organization that must use the server for email. I'd guess that your local users are inside of a firewall and that your SMTP relay server is outside of the firewall. You have one or more SMTP/POP servers within the organization (probably inside of the firewall) that should use the relay server for all inbound and outbound email. Right now inboud email that is accepted by the relay server and forwared to the internal POP servers is delivered, but outbound email from the POP server is rejected (fails the relay check) by the relay server.

Two things must be configured on the relay server for inbound and outbound email to be properly handled. One is that the relay server needs to believe that the recipient of an inbound message from the Internet corresponds to a local account. The easiest way to accomplish that is to introduce a virtusertable translation that looks like:

@my-dom.tld
0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 6943876
Rats... I don't know how that got prematurely submitted...

Two things must be configured on the relay server for inbound and outbound email to be properly handled.
One is that the relay server needs to believe that the recipient of an inbound message from the Internet
corresponds to a local account. The easiest way to accomplish that is to introduce a virtusertable translation
that looks like:

@my-dom.tld            %1@my-pop-srv.mydom.tld

If 'hostname' on the SMTP relay doesn't return something that ends in your domain name, which is quite possible if it get's a dynamic IP from your ISP, you'll also have to have your domain listed in /etc/mail/local-host-names.

Since the relay box sees email to some-user@my-dom.tld as corresponding to a local user, even though there isn't really a local caccount it will accept the mail and forward it to your inside POP server.

Outgoing email from your POP server(s) addressed to anywhere except the relay server will be rejected by the check_relay rule set unless the relay server believes that the sending machine (your pop server) is allowed to relay through the system. Since the DNS that the relay box uses don't include a reverse lookup entry for your POP server, you have to enable the relaying by including the IP of the POP server in the relay systems access map.

Unless you have some special arraingement (like using a Dynamic DNS server) for your relay system you are going to have other problems. For the relay box to accept inbound email the hostname of the relay box will have to be listed as the MX host for your domain in the Internet's view of your domain. Without that Internet hosts aren't going to know how to find your mail server. Obviously that's going to be a problem if the box has a dynamic ip.

Now as to what else in in your access map.

If you have:

1.2.3.4       RELAY
com           REJECT

and a message (to user@hotmail.com) from one of your users is passed via the POP server (at 1.2.3.4) to the relay server, it will be relayed. Well, providing that your domain doesn't end in .com. If your domain name ended in .com the message would be rejected by the relay server even though it passed the  first test. Also if a user at hotmail.com attempted to send a message to one of your users the relay box would reject it because of the "com" rule.

While it is tempting to reject anything that ends in .com or .net as a measure of spam control, that's a bit like using nuclear weapons to kill roaches in your house. A nuclear weapon would certainly kill the roaches, but your house wouldn't exactly be habitable afterwards.

It is appropriate to use specific hostnames or domains in the access map for spam control, like:

ombramarketing.com      550 Rejected due to spam originating from ombramarketing.com
qves.com                550 Rejected due to spam originating from qves.com
pm0.net                 550 Rejected due to spam originating from pm0.net
ethome.net.tw           550 Rejected due to spam originating from ethome.net.tw
em5000.net              550 Rejected due to spam originating from em5000.net
p-box.it                550 Rejected due to spam originating from p-box.it
giga.net.tw             550 Rejected due to spam originating from giga.net.tw
dejazzd.com             550 Rejected due to spam originating from dejazzd.com
customoffers.com        550 Rejected due to spam originating from customoffers.com
giantrewards.com        550 Rejected due to spam originating from giantrewards.com

Those are from one of my mail servers and they are in the access map because of consistant spam from those domains. And you must be extremely careful before adding a host or domain name to the access map for rejection. You can't use the From: address as the source of the email. Spammers normally don't put a real address (or the actual source of the spam) in the From line. You have to look ate the envelope (view all headers) to see where the mail really came from.


As to the rule sets, yes each of the rulesets will be run before sendmail will process the message. Just because a message passed one of the rules doesn't mean that sendmail should skip the other rules.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6949153
(listening...)
0
 

Author Comment

by:wingboad
ID: 6949480
Thanks for your detailed description,ilevie.i will accept this as "the answer"

but i still have two questions:

1)As you said:

>As to the rule sets, yes each of the rulesets will be run >before sendmail will process the message.
>Just because a message passed one of the rules doesn't >mean that sendmail should skip the other rules

 i wondered that whether each mail should be checked pass through all these 3 rulesets & after satisfied for each,it
could be relayed. But in my test,this is not true appearent
ly i think. for example: if in my access file,there is:

  1.2.3.4    RELAY

so,my SMTP server would relay all mails coming from 1.2.3.4
,and never check the Sender's/Recipient's address,for what
reason ?
  another example: if in my access file,this is:

  abc.com    RELAY

thus,all mail which Recipient's is xxx@abc.com could be rel
ayed by my SMTP server,while never check the Sender's addre
ss by check_from  ruleset.But if this mail is coming from
xxx@abc.com to arbitary domain,it will be rejected,i am puzzled with such stuffs.could you explain to me,thanks.

 
2)if i have a SMTP server remotly,and only have dymatic IP
  at local,if i want my SMTP server relay all mails from
  local,what kind of solution i could follow ?
0
 

Author Comment

by:wingboad
ID: 6952360
did you receive the last comment of mine ?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6952374
Yes. I'll have to do a bit of research to be able to clearly explain what each of the check_ things does. Perhaps by tomorrow I'll have had time to do the research and compose a comment.
0
 

Author Comment

by:wingboad
ID: 6952766
ok,no problem,thanks a lot
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

This short article will present "How to import ICS Calendar onto Office 365 Calendar". I was searching for free (or not free) tools to convert ICS to CSV without success. The only tools I found & working well were online tools...this was too hard to…
Microsoft has released various new features which are capable of handling various tasks. One of these tasks is ‘Migration from pop3 to Exchange Server’. Pop3 data stores various data along mailboxes like contacts, tasks, etc. So, it becomes the need…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now